Backend Engineering

HTTP Cookie & JSON Web Tokens (JWT)

brian | Published: Feb. 24, 2024, 9:51 a.m. | Updated: May 25, 2025, 2:05 p.m.

Profile Picture

What is an HTTP Cookie?

HTTP Cookies are small blocks of data that are created by the web server when the user is browsing a website, and it is placed in the users device by their web browser. Once the user visits the website again, the cookie is sent to the server by the web browser with every request, which introduces  states (memory of previous events).

 

 

Benefits Of Cookies

They enable web servers to store stateful information for example adding things to shopping cart(Now a days this is stored in the server database), recording users history (search history), remembering login fields such as email or password.

 

Authentication Cookie

Authentication cookies allow webservers to authenticate users that are logged in, and which account they are logged into. Without authentication cookies, when a user would login, and let's say that they clicked on another link within the website, they would have to login again.

 

 

What is a JWT?

JWT are packets that are used to store information about the users identity, and information. JWT's are stateless . JWT can be used in place of cookies, and must be explicity placed in the http request via the web application, rather than automatically like it is in the case of Cookies. JWT, like the name implies, holds json payload. JSON tokens are signed either using a private secret or a public/private key. When a user logs into a website, they are returned that JWT, and it is stored locally. On future requests, the JWT will be added to the authorization header prefixed "bearer" and then the server only needs to validate the signature.

 

Structure Of a JWT

JWT are comprised of three parts: The header, payload, and signature

Header: Typically includes the algorithm being used, and the token type, in this case JWT. 

Payload: This is where you store the claims, typically user data: For example, you can have a claim specifiying that the user is logged in as Admin

{
  "loggedInAs": "admin",
  "iat": 1422779638
}

Signature: Validates the token, and is created by encoding the HEADER and the PAYLOAD